Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 22:55
Behavioral task
behavioral1
Sample
a636daaddbc0143f3a01d46230662f125ccdfdce2613643fa9cdb67fa460a9b5.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
General
-
Target
a636daaddbc0143f3a01d46230662f125ccdfdce2613643fa9cdb67fa460a9b5.exe
-
Size
3.7MB
-
MD5
4062f74bf62046004298ebcb3629f2d4
-
SHA1
9f7d9c6ee3f7881ba821fb7e2ab44004cc73afe8
-
SHA256
a636daaddbc0143f3a01d46230662f125ccdfdce2613643fa9cdb67fa460a9b5
-
SHA512
a580ea4e5491135652c054ae252638b57636fea294bd2406d5a7920a5274caeb3c03cc38ab21f29b9fa33e6469e1ae70add16a1c3abf6d7079f7922e3a4f9058
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98+:U6XLq/qPPslzKx/dJg1ErmNd
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/2052-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1812-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2292-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2668-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2372-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2744-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2620-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2736-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2940-85-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1852-101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2044-104-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2816-120-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2528-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2020-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1928-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1768-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/740-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/660-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2092-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1724-262-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/788-271-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2364-282-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2172-298-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2436-338-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2704-352-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1444-466-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1932-486-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2112-493-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2088-494-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2888-557-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2988-576-0x00000000002C0000-0x00000000002E7000-memory.dmp family_blackmoon behavioral1/memory/1720-577-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1720-584-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1688-610-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1736-608-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2700-647-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2712-685-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2916-1007-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/448-1105-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/632-1232-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2964-1302-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1984-1315-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/876-1363-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1520-1389-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 1812 9xfxxff.exe 2292 rflrffl.exe 2668 9dpdp.exe 2372 bhhnht.exe 2744 xxrlxxx.exe 2620 9bbhnb.exe 2736 djdpd.exe 2500 1pdpj.exe 2940 xxlrllx.exe 1852 bnhhnt.exe 2044 nbhhth.exe 2816 dvvpj.exe 2528 5rllxfr.exe 620 nttbbh.exe 2132 djdjp.exe 1716 rfllllr.exe 2020 lflfrrx.exe 1992 xxlxlxx.exe 1928 jpjvp.exe 1768 dvddj.exe 2360 nnbbnn.exe 740 5hntbb.exe 660 5vvdd.exe 2092 vpjjv.exe 2164 1pjpp.exe 944 pvvvd.exe 1092 7frxllr.exe 1724 dvjpd.exe 788 7vddj.exe 292 vjvdp.exe 2364 jvdjp.exe 2308 1bttnn.exe 2172 9tnbbb.exe 1844 ttnbnb.exe 2900 hbnbbb.exe 2572 pvjpd.exe 2420 9pdvp.exe 1624 vppvj.exe 2436 bttbht.exe 3016 1tnhtt.exe 2704 tbtnbn.exe 2692 ttbhnt.exe 2716 ddjpp.exe 2524 dvppd.exe 2652 1pjdj.exe 2540 tnhntb.exe 2504 tthnht.exe 1728 3rrxlrx.exe 804 lflrfll.exe 2788 7ddpv.exe 2840 7thntn.exe 2960 1ntbnt.exe 1784 xrfxfxx.exe 1400 3lxxxxf.exe 552 1pvdd.exe 1792 nhntbb.exe 1328 tnhtht.exe 1444 fxrlrxf.exe 1608 9jvpv.exe 2464 tnhhtn.exe 1932 nthhnt.exe 2112 fxfflxf.exe 2088 9dvdv.exe 1860 dvpdd.exe -
resource yara_rule behavioral1/memory/2052-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000012117-5.dat upx behavioral1/memory/2052-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2052-6-0x00000000001B0000-0x00000000001D7000-memory.dmp upx behavioral1/files/0x000e000000016cfe-18.dat upx behavioral1/memory/1812-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016d0b-26.dat upx behavioral1/memory/2668-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2292-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016d13-38.dat upx behavioral1/memory/2668-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2372-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0033000000016ca2-48.dat upx behavioral1/memory/2744-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016d24-56.dat upx behavioral1/memory/2620-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d36-63.dat upx behavioral1/files/0x0007000000016d47-74.dat upx behavioral1/memory/2736-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000016d50-84.dat upx behavioral1/memory/2940-85-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016d9f-92.dat upx behavioral1/memory/1852-101-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x001500000001866d-102.dat upx behavioral1/memory/2044-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000018678-111.dat upx behavioral1/memory/2816-120-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000018690-121.dat upx behavioral1/files/0x000500000001879b-130.dat upx behavioral1/memory/2528-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000190cd-139.dat upx behavioral1/files/0x00060000000190d6-148.dat upx behavioral1/files/0x00050000000191f3-153.dat upx behavioral1/files/0x00050000000191f7-165.dat upx behavioral1/memory/2020-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019218-173.dat upx behavioral1/memory/1928-175-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019229-182.dat upx behavioral1/files/0x0005000000019234-191.dat upx behavioral1/memory/1768-190-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001924c-199.dat upx behavioral1/memory/740-208-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/660-211-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001926b-210.dat upx behavioral1/files/0x0005000000019271-218.dat upx behavioral1/memory/2092-229-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019273-228.dat upx behavioral1/files/0x0005000000019277-237.dat upx behavioral1/files/0x0005000000019382-246.dat upx behavioral1/files/0x0005000000019389-254.dat upx behavioral1/memory/1724-262-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193be-263.dat upx behavioral1/files/0x00050000000193c4-273.dat upx behavioral1/memory/788-271-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193cc-280.dat upx behavioral1/memory/2364-282-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193d9-290.dat upx behavioral1/memory/2172-298-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2436-338-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2704-352-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2652-380-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2504-395-0x00000000005C0000-0x00000000005E7000-memory.dmp upx behavioral1/memory/552-442-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1444-466-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbtbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxffxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrflllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlflxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frffrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9thhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rxfrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ddpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhtbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxfrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxflxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hbbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrffrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrflxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlrxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddpd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2052 wrote to memory of 1812 2052 a636daaddbc0143f3a01d46230662f125ccdfdce2613643fa9cdb67fa460a9b5.exe 28 PID 2052 wrote to memory of 1812 2052 a636daaddbc0143f3a01d46230662f125ccdfdce2613643fa9cdb67fa460a9b5.exe 28 PID 2052 wrote to memory of 1812 2052 a636daaddbc0143f3a01d46230662f125ccdfdce2613643fa9cdb67fa460a9b5.exe 28 PID 2052 wrote to memory of 1812 2052 a636daaddbc0143f3a01d46230662f125ccdfdce2613643fa9cdb67fa460a9b5.exe 28 PID 1812 wrote to memory of 2292 1812 9xfxxff.exe 29 PID 1812 wrote to memory of 2292 1812 9xfxxff.exe 29 PID 1812 wrote to memory of 2292 1812 9xfxxff.exe 29 PID 1812 wrote to memory of 2292 1812 9xfxxff.exe 29 PID 2292 wrote to memory of 2668 2292 rflrffl.exe 30 PID 2292 wrote to memory of 2668 2292 rflrffl.exe 30 PID 2292 wrote to memory of 2668 2292 rflrffl.exe 30 PID 2292 wrote to memory of 2668 2292 rflrffl.exe 30 PID 2668 wrote to memory of 2372 2668 9dpdp.exe 31 PID 2668 wrote to memory of 2372 2668 9dpdp.exe 31 PID 2668 wrote to memory of 2372 2668 9dpdp.exe 31 PID 2668 wrote to memory of 2372 2668 9dpdp.exe 31 PID 2372 wrote to memory of 2744 2372 bhhnht.exe 32 PID 2372 wrote to memory of 2744 2372 bhhnht.exe 32 PID 2372 wrote to memory of 2744 2372 bhhnht.exe 32 PID 2372 wrote to memory of 2744 2372 bhhnht.exe 32 PID 2744 wrote to memory of 2620 2744 xxrlxxx.exe 33 PID 2744 wrote to memory of 2620 2744 xxrlxxx.exe 33 PID 2744 wrote to memory of 2620 2744 xxrlxxx.exe 33 PID 2744 wrote to memory of 2620 2744 xxrlxxx.exe 33 PID 2620 wrote to memory of 2736 2620 9bbhnb.exe 34 PID 2620 wrote to memory of 2736 2620 9bbhnb.exe 34 PID 2620 wrote to memory of 2736 2620 9bbhnb.exe 34 PID 2620 wrote to memory of 2736 2620 9bbhnb.exe 34 PID 2736 wrote to memory of 2500 2736 djdpd.exe 35 PID 2736 wrote to memory of 2500 2736 djdpd.exe 35 PID 2736 wrote to memory of 2500 2736 djdpd.exe 35 PID 2736 wrote to memory of 2500 2736 djdpd.exe 35 PID 2500 wrote to memory of 2940 2500 1pdpj.exe 36 PID 2500 wrote to memory of 2940 2500 1pdpj.exe 36 PID 2500 wrote to memory of 2940 2500 1pdpj.exe 36 PID 2500 wrote to memory of 2940 2500 1pdpj.exe 36 PID 2940 wrote to memory of 1852 2940 xxlrllx.exe 37 PID 2940 wrote to memory of 1852 2940 xxlrllx.exe 37 PID 2940 wrote to memory of 1852 2940 xxlrllx.exe 37 PID 2940 wrote to memory of 1852 2940 xxlrllx.exe 37 PID 1852 wrote to memory of 2044 1852 bnhhnt.exe 38 PID 1852 wrote to memory of 2044 1852 bnhhnt.exe 38 PID 1852 wrote to memory of 2044 1852 bnhhnt.exe 38 PID 1852 wrote to memory of 2044 1852 bnhhnt.exe 38 PID 2044 wrote to memory of 2816 2044 nbhhth.exe 39 PID 2044 wrote to memory of 2816 2044 nbhhth.exe 39 PID 2044 wrote to memory of 2816 2044 nbhhth.exe 39 PID 2044 wrote to memory of 2816 2044 nbhhth.exe 39 PID 2816 wrote to memory of 2528 2816 dvvpj.exe 40 PID 2816 wrote to memory of 2528 2816 dvvpj.exe 40 PID 2816 wrote to memory of 2528 2816 dvvpj.exe 40 PID 2816 wrote to memory of 2528 2816 dvvpj.exe 40 PID 2528 wrote to memory of 620 2528 5rllxfr.exe 41 PID 2528 wrote to memory of 620 2528 5rllxfr.exe 41 PID 2528 wrote to memory of 620 2528 5rllxfr.exe 41 PID 2528 wrote to memory of 620 2528 5rllxfr.exe 41 PID 620 wrote to memory of 2132 620 nttbbh.exe 42 PID 620 wrote to memory of 2132 620 nttbbh.exe 42 PID 620 wrote to memory of 2132 620 nttbbh.exe 42 PID 620 wrote to memory of 2132 620 nttbbh.exe 42 PID 2132 wrote to memory of 1716 2132 djdjp.exe 43 PID 2132 wrote to memory of 1716 2132 djdjp.exe 43 PID 2132 wrote to memory of 1716 2132 djdjp.exe 43 PID 2132 wrote to memory of 1716 2132 djdjp.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\a636daaddbc0143f3a01d46230662f125ccdfdce2613643fa9cdb67fa460a9b5.exe"C:\Users\Admin\AppData\Local\Temp\a636daaddbc0143f3a01d46230662f125ccdfdce2613643fa9cdb67fa460a9b5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\9xfxxff.exec:\9xfxxff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
\??\c:\rflrffl.exec:\rflrffl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\9dpdp.exec:\9dpdp.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\bhhnht.exec:\bhhnht.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\xxrlxxx.exec:\xxrlxxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\9bbhnb.exec:\9bbhnb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\djdpd.exec:\djdpd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\1pdpj.exec:\1pdpj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\xxlrllx.exec:\xxlrllx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\bnhhnt.exec:\bnhhnt.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\nbhhth.exec:\nbhhth.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\dvvpj.exec:\dvvpj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\5rllxfr.exec:\5rllxfr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\nttbbh.exec:\nttbbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:620 -
\??\c:\djdjp.exec:\djdjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\rfllllr.exec:\rfllllr.exe17⤵
- Executes dropped EXE
PID:1716 -
\??\c:\lflfrrx.exec:\lflfrrx.exe18⤵
- Executes dropped EXE
PID:2020 -
\??\c:\xxlxlxx.exec:\xxlxlxx.exe19⤵
- Executes dropped EXE
PID:1992 -
\??\c:\jpjvp.exec:\jpjvp.exe20⤵
- Executes dropped EXE
PID:1928 -
\??\c:\dvddj.exec:\dvddj.exe21⤵
- Executes dropped EXE
PID:1768 -
\??\c:\nnbbnn.exec:\nnbbnn.exe22⤵
- Executes dropped EXE
PID:2360 -
\??\c:\5hntbb.exec:\5hntbb.exe23⤵
- Executes dropped EXE
PID:740 -
\??\c:\5vvdd.exec:\5vvdd.exe24⤵
- Executes dropped EXE
PID:660 -
\??\c:\vpjjv.exec:\vpjjv.exe25⤵
- Executes dropped EXE
PID:2092 -
\??\c:\1pjpp.exec:\1pjpp.exe26⤵
- Executes dropped EXE
PID:2164 -
\??\c:\pvvvd.exec:\pvvvd.exe27⤵
- Executes dropped EXE
PID:944 -
\??\c:\7frxllr.exec:\7frxllr.exe28⤵
- Executes dropped EXE
PID:1092 -
\??\c:\dvjpd.exec:\dvjpd.exe29⤵
- Executes dropped EXE
PID:1724 -
\??\c:\7vddj.exec:\7vddj.exe30⤵
- Executes dropped EXE
PID:788 -
\??\c:\vjvdp.exec:\vjvdp.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:292 -
\??\c:\jvdjp.exec:\jvdjp.exe32⤵
- Executes dropped EXE
PID:2364 -
\??\c:\1bttnn.exec:\1bttnn.exe33⤵
- Executes dropped EXE
PID:2308 -
\??\c:\9tnbbb.exec:\9tnbbb.exe34⤵
- Executes dropped EXE
PID:2172 -
\??\c:\ttnbnb.exec:\ttnbnb.exe35⤵
- Executes dropped EXE
PID:1844 -
\??\c:\hbnbbb.exec:\hbnbbb.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2900 -
\??\c:\pvjpd.exec:\pvjpd.exe37⤵
- Executes dropped EXE
PID:2572 -
\??\c:\9pdvp.exec:\9pdvp.exe38⤵
- Executes dropped EXE
PID:2420 -
\??\c:\vppvj.exec:\vppvj.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1624 -
\??\c:\bttbht.exec:\bttbht.exe40⤵
- Executes dropped EXE
PID:2436 -
\??\c:\1tnhtt.exec:\1tnhtt.exe41⤵
- Executes dropped EXE
PID:3016 -
\??\c:\tbtnbn.exec:\tbtnbn.exe42⤵
- Executes dropped EXE
PID:2704 -
\??\c:\ttbhnt.exec:\ttbhnt.exe43⤵
- Executes dropped EXE
PID:2692 -
\??\c:\ddjpp.exec:\ddjpp.exe44⤵
- Executes dropped EXE
PID:2716 -
\??\c:\dvppd.exec:\dvppd.exe45⤵
- Executes dropped EXE
PID:2524 -
\??\c:\1pjdj.exec:\1pjdj.exe46⤵
- Executes dropped EXE
PID:2652 -
\??\c:\tnhntb.exec:\tnhntb.exe47⤵
- Executes dropped EXE
PID:2540 -
\??\c:\tthnht.exec:\tthnht.exe48⤵
- Executes dropped EXE
PID:2504 -
\??\c:\3rrxlrx.exec:\3rrxlrx.exe49⤵
- Executes dropped EXE
PID:1728 -
\??\c:\lflrfll.exec:\lflrfll.exe50⤵
- Executes dropped EXE
PID:804 -
\??\c:\7ddpv.exec:\7ddpv.exe51⤵
- Executes dropped EXE
PID:2788 -
\??\c:\7thntn.exec:\7thntn.exe52⤵
- Executes dropped EXE
PID:2840 -
\??\c:\1ntbnt.exec:\1ntbnt.exe53⤵
- Executes dropped EXE
PID:2960 -
\??\c:\xrfxfxx.exec:\xrfxfxx.exe54⤵
- Executes dropped EXE
PID:1784 -
\??\c:\3lxxxxf.exec:\3lxxxxf.exe55⤵
- Executes dropped EXE
PID:1400 -
\??\c:\1pvdd.exec:\1pvdd.exe56⤵
- Executes dropped EXE
PID:552 -
\??\c:\nhntbb.exec:\nhntbb.exe57⤵
- Executes dropped EXE
PID:1792 -
\??\c:\tnhtht.exec:\tnhtht.exe58⤵
- Executes dropped EXE
PID:1328 -
\??\c:\fxrlrxf.exec:\fxrlrxf.exe59⤵
- Executes dropped EXE
PID:1444 -
\??\c:\9jvpv.exec:\9jvpv.exe60⤵
- Executes dropped EXE
PID:1608 -
\??\c:\tnhhtn.exec:\tnhhtn.exe61⤵
- Executes dropped EXE
PID:2464 -
\??\c:\nthhnt.exec:\nthhnt.exe62⤵
- Executes dropped EXE
PID:1932 -
\??\c:\fxfflxf.exec:\fxfflxf.exe63⤵
- Executes dropped EXE
PID:2112 -
\??\c:\9dvdv.exec:\9dvdv.exe64⤵
- Executes dropped EXE
PID:2088 -
\??\c:\dvpdd.exec:\dvpdd.exe65⤵
- Executes dropped EXE
PID:1860 -
\??\c:\bthnnh.exec:\bthnnh.exe66⤵PID:1488
-
\??\c:\1lxfrxf.exec:\1lxfrxf.exe67⤵PID:1128
-
\??\c:\jjjpd.exec:\jjjpd.exe68⤵PID:448
-
\??\c:\9pvvj.exec:\9pvvj.exe69⤵PID:2064
-
\??\c:\3bnnhb.exec:\3bnnhb.exe70⤵PID:1556
-
\??\c:\nbnthh.exec:\nbnthh.exe71⤵PID:628
-
\??\c:\xlrrxfl.exec:\xlrrxfl.exe72⤵PID:1188
-
\??\c:\9frrffl.exec:\9frrffl.exe73⤵PID:2888
-
\??\c:\vjjjp.exec:\vjjjp.exe74⤵PID:840
-
\??\c:\nhtbtt.exec:\nhtbtt.exe75⤵PID:2176
-
\??\c:\5xllxxl.exec:\5xllxxl.exe76⤵PID:2988
-
\??\c:\7lxfxxf.exec:\7lxfxxf.exe77⤵PID:1720
-
\??\c:\pjjpd.exec:\pjjpd.exe78⤵PID:1736
-
\??\c:\pjjjp.exec:\pjjjp.exe79⤵PID:2928
-
\??\c:\bthhnn.exec:\bthhnn.exe80⤵PID:1844
-
\??\c:\5frflfr.exec:\5frflfr.exe81⤵PID:1688
-
\??\c:\llflxrf.exec:\llflxrf.exe82⤵PID:2456
-
\??\c:\vpvdd.exec:\vpvdd.exe83⤵PID:2432
-
\??\c:\3tbhnh.exec:\3tbhnh.exe84⤵PID:3020
-
\??\c:\bnbhtn.exec:\bnbhtn.exe85⤵PID:760
-
\??\c:\xrllflr.exec:\xrllflr.exe86⤵PID:2156
-
\??\c:\9vvdj.exec:\9vvdj.exe87⤵PID:2700
-
\??\c:\jvdpp.exec:\jvdpp.exe88⤵PID:2704
-
\??\c:\hbbhhh.exec:\hbbhhh.exe89⤵PID:2868
-
\??\c:\5lrrflr.exec:\5lrrflr.exe90⤵PID:2744
-
\??\c:\jdvpv.exec:\jdvpv.exe91⤵PID:2620
-
\??\c:\pjpvp.exec:\pjpvp.exe92⤵PID:2524
-
\??\c:\thtbbb.exec:\thtbbb.exe93⤵PID:2712
-
\??\c:\3fxflrx.exec:\3fxflrx.exe94⤵PID:2608
-
\??\c:\lfrxxrx.exec:\lfrxxrx.exe95⤵PID:2500
-
\??\c:\3dpdd.exec:\3dpdd.exe96⤵PID:1700
-
\??\c:\thbtbh.exec:\thbtbh.exe97⤵
- System Location Discovery: System Language Discovery
PID:2588 -
\??\c:\llxfrxf.exec:\llxfrxf.exe98⤵PID:2808
-
\??\c:\frlfllr.exec:\frlfllr.exe99⤵PID:2840
-
\??\c:\3pdjv.exec:\3pdjv.exe100⤵PID:2964
-
\??\c:\nnbnbh.exec:\nnbnbh.exe101⤵PID:1684
-
\??\c:\vpjjv.exec:\vpjjv.exe102⤵PID:1400
-
\??\c:\nnhhnn.exec:\nnhhnn.exe103⤵PID:2132
-
\??\c:\bbnthh.exec:\bbnthh.exe104⤵PID:1208
-
\??\c:\3rfflrx.exec:\3rfflrx.exe105⤵PID:2024
-
\??\c:\vjjvv.exec:\vjjvv.exe106⤵PID:1716
-
\??\c:\ttnntb.exec:\ttnntb.exe107⤵PID:1996
-
\??\c:\bthntt.exec:\bthntt.exe108⤵PID:1916
-
\??\c:\lfxlffx.exec:\lfxlffx.exe109⤵PID:1932
-
\??\c:\dvddp.exec:\dvddp.exe110⤵PID:2376
-
\??\c:\3pvvp.exec:\3pvvp.exe111⤵PID:1912
-
\??\c:\hbnbtb.exec:\hbnbtb.exe112⤵PID:900
-
\??\c:\9flrlfl.exec:\9flrlfl.exe113⤵PID:960
-
\??\c:\jjppj.exec:\jjppj.exe114⤵PID:408
-
\??\c:\jdjpd.exec:\jdjpd.exe115⤵PID:1664
-
\??\c:\3hbbtb.exec:\3hbbtb.exe116⤵PID:352
-
\??\c:\xlflxrx.exec:\xlflxrx.exe117⤵PID:2208
-
\??\c:\ppjvp.exec:\ppjvp.exe118⤵PID:944
-
\??\c:\vjvdp.exec:\vjvdp.exe119⤵PID:1092
-
\??\c:\hbtntb.exec:\hbtntb.exe120⤵PID:1532
-
\??\c:\fxrxllr.exec:\fxrxllr.exe121⤵PID:1628
-
\??\c:\llxflfr.exec:\llxflfr.exe122⤵PID:292
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-